I'm learning wireless penetration testing. It really is amazing. But it made me wonder, what about mobile phones? They are also means of wireless communication. So, our entire voice must be in the air surrounding us. So,

what makes it difficult to intercept?

By the way, is there any standard like 802.11 for wifi, for telecommunication over mobile phones? If yes, what is it. Kindly point me to the reference. I want to have a glance at them.

as per your bounty, what extra information are you looking for? The questions below fully answer part 2 of your question, so I'm guessing you want something else from the first part?
–
Rory Alsop♦Jun 19 '12 at 10:30

Oops, it appears the zrtp.org plugin works on several other platforms, probably not as user friendly, but still.
–
Jeff BurdgesJun 21 '12 at 14:08

2

I say this without authority: I recommend removing the additional questions you added and turning them into additional separate question posts. I like that they are more specific than the originals, but they are now beyond this thread in its current state. Paraphrasing, "what makes interception difficult" and "what telecommunication protocols exist" while interesting are what all the work hereto performed have been devoted to, whether they missed the mark or not.
–
chao-muJun 21 '12 at 18:13

5 Answers
5

For telecommunications, checkout GSM, CDMA, TDMA, and EDGE. The two competing protocols in the United States are GSM and CDMA. The resources linked below are lacking when it comes to CDMA, but using site:defcon.org and site:blackhat.com in your Google searches will turn up some presentations.

For interception of GSM, I refer you to a white paper on "Intercepting GSM traffic" from the BlackHat conference:

Abstract: This talk is about GSM security. We will explain the
security, technology and protocols of a GSM network. We will further
present a solution to build a GSM scanner for 900 USD. The second part
of the talk reveals a practical solution to crack the GSM encryption
A5/1.

This document will first provide a brief description of the various
evolutions of public mobile networks that have been commercially
deployed, followed by a discussion on the evolution toward the newer
“long term evolution” technologies. We then discuss possible
configurations for lawful interception of the evolving mobile
networks, followed by descriptions of approaches to 3G / 4G
interception solutions now available from Aqsacom.

Also note that smart phones typically just automatically connect to networks with SSIDs it remembers. Sniff the airwaves for beacons that it is sending out and set up an evil access point with a matching SSID. Launch a remote attack across the network or man in the middle the device and launch a client-side attack appropriate to the device.

The main thing to note about Lawful Interception is that the voice data isn't encrypted as soon as it gets to the base station; so the govt only have to record it (with the co-operation of the telco); it is however encrypted between the phone and the base-station.
–
SavaraJun 14 '12 at 14:37

3G Security Architecture
There are five different sets of features that are part of the architecture:
Network Access Security:
This feature enables users to securely access services provided by the 3G network. This feature is responsible for providing identity confidentiality, authentication of users, confidentiality, integrity and mobile equipment authentication. User Identity confidentiality is obtained by using a temporary identity called the International Mobile User Identity. Authentication is achieved using a challenge response method using a secret key. Confidentiality is obtained by means of a secret Cipher Key (CK) which is exchanged as part of the Authentication and Key Agreement Process (AKA). Integrity is provided using an integrity algorithm and an integrity key (IK). Equipment identification is achieved using the International Mobile Equipment Identifier (IMEI).

Its encrypted. No problem. But how can I intercept and get that encrypted content?
–
clawsJun 13 '12 at 20:09

If you can break the encryption then no problem- it being wireless you can simply pull it from the air. However the encryption is a challenge, so another attack is to become a cell transmission tower and run a MITM attack.
–
Rory Alsop♦Jun 14 '12 at 11:44

Like any other secured communication, it could be possible to decode the GSM/CDMA wireless traffic; question is how tough it is and how much infrastructure cost is required to decode them. Coming to a simple answer though much details and analysis have already been posted here, it is difficult to intercept them because:

There exist a secure element in the Mobile Equipment called as the SIM. The device is a smart card which consist of a secret key. The secret key is initialized into the SIM card in the process of personalization by the telco. The shared secret is known only to the telco and the SIM itself.

In the initial handshake protocol in which the Mobile device registers into the telco network, there exists a challenge response protocol in which the identity of the SIM is established to the telco. After this process in conjunction with the Mobile Equipment a session key is derived and the entire communication is encrypted using some variants of the A5 algorithm.

This is how the communication is secured and how it cannot be intercepted.
The ecosystem is designed in such a way that the handshake happens at some regular interval and so the session key keeps changing.

Even if one attacker had to create a tempered Mobile equipment, it is impossible to extract the secret key from the smart card.

With the advent of high capability crypto smart cards and higher bandwidths , the security model is changed to mutual authentication, in which case the network authenticates the card and the card also authenticates the network (telco) using combination of symmetric and asymmetric encryption and signing processes.

The above context was more with respect to GSM technology. In CDMA, it uses some technique called frequency hopping spread spectrum using which a data pipe takes more bandwidth and space than actually it would have had required; thus scattering the data as dust particle (just explanation). So for an interceptor it becomes tough to regenerate the actual data from some reference data from the scattered data.

As far as your other question regarding 802.11 standards for mobile devices, AFAIK the standards are same for any device which want to use 802.11 weather it is a mobile or a simple laptop device. The security requirement is imposed by the 802.11 routers.

What exactly is SIM (Subscriber Identity Module) Card?

SIM (Subscriber Identity Module) is a specialized smart card in a form factor which can be inserted into a mobile device. Smart Card is not a secret password but a slave computer device (simple explanation). Unlike thumb drives which we use for storing data; SIM card doesn't allow an external entity to directly access the memory in the chip. SIM card acts as a computer in a sense the other computer (reader or mobile equipment) is needed to have a protocol for communication. There are standards like ISO-7816-4 which provides commands interface using which an external reader can communicate with the smart card.

How does SIM Card play role in Establishing connection between Phone & Network Operator?

Now I will try to explain the basic steps again how the security is established in the entire life cycle of SIM and secure mobile communication:

When the telco initializes the SIM card, it inserts a secret key into the SIM card using ISO-7816 command set. The security of the key file is such that it cannot be read. The SIM card will only allow operation like encipher or signing using the file. When the manufacturer of the SIM card ships the smart card to the telco, it initialized it with a initialization key which it secretly shares with the telco. The SIM shall allow loading of the key file by telco only if the telco could prove that it have the initialization key or the pin. In this way telco have full control over the SIM. In the process of initialization of SIM by telco, telco maps a serial number in its system and the same number is printed on the back side of the SIM (for example). This number is used by telco at latter stage to map and activate a SIM card. Technically the printed serial number enables the telco to fetch the secret key for activating the SIM and informing the same to its validation systems.

When the SIM is inserted on to the Mobile Equipment, the mobile equipment scans for available networks present in air in the 900/1800/1900 channel. It talks to the desired network to let it register to the network. The mobile sends the unique SIM ID to the network. The network sends a challenge to the mobile device. Using ISO-7816 command specification, the mobile equipment constructs the required command for authentication request which also consist of the challenge received by the equipment from the network. The SIM card using the secret key encrypts the challenge and sends it as a response to the ISO 7816 command to the equipment. The response is passed to the network by the mobile equipment. The network validates the response as it also possesses the secret key in its system mapped with the unique SIM identifier. Based on the validation the network either grants registration or denies registration to the mobile equipment in the network. The further process of generation of session key is slightly complex and is beyond the scope of this context. The SIM is not required any more by the equipment. In regular intervals the network shall ask the equipment to re-do challenge response in which case SIM shall again be used. For this reason if you have a mobile device in which SIM can be removed without removing battery you mobile shall continue to operate for a finite period of time.

How does Manual & Automatic Registration of Network Work?

Now coming to the issue of manual and automatic registration. When the telco initializes the SIM it writes one more read only file in the SIM which contains the network ID. This helps the mobile to detect the preference in which it should select the network provider from the list of available network providers to which it should make the first attempt to register.

In case the file is not available, the mobile will make an attempt in a sequential manner with the list of network providers. The mobile also maintains a history record of the SIM ID and network to which it registered, which helps it to fasten the process when the equipment is restarted for judging the network to which the request for registration to sent first.

How WiFI Security differs from GSM Security?

Now coming to the WIFI and 802.11 communications using the mobile device. Here SIM is not part of any communication or authentication. In-fact you can connect to the WIFI without the SIM present in the device. The security guidelines for WIFI are provided in WIFI specifications. Based on the security rules configured in the router, the clients have to authenticate and have the channel of communication secured and encrypted or non secured. Mobile device just contains the client hardware and software to use a WIFI network in addition to the GSM radio.

Thank you! That's new information. Could you kindly point me to a resource to study more about what you've said in 1st & 2nd point?
–
clawsJun 21 '12 at 15:31

Btw, is SIM is something like a secret password for connecting access point in WiFi? I just noticed in my mobile that there is an option of Network Selection Mode (defaultly set to Automatic). When I changed it to Manual, it has shown me list of Mobile Network Operators (like Airtel, Vodofone IN, Tata GSM, Tata Docomo, Cellone, Idea etc). This looks similar to Windows showing list of wifi networks (access points). Now with Wifi, we can connect to some networks only with password. So, I can only connect to Airtel Network because I've password (SIM) provided by Airtel. Am I right?
–
clawsJun 21 '12 at 15:39

Hi @claws. Please find the clarifications in my post. I will post some basic PDF links latter using which you can understand the mobile wireless security. The standards are available in ETSI which will be slightly complex to understand initially. The explanation I have given in the post is put in simple way more to understand the basics, the actual and current security is needed to be understood from the current specifications. The post shall give you a fair idea of how the mobile works using the SIM. Its better if you read the basics of smart card;which will help you more to known the system
–
Mohit SethiJun 22 '12 at 5:32

The European Telecommunications Standards Institute (ETSI) is the governing body for network providers/carriers in terms of standards which includes fixed, mobile, radio, converged, broadcast and internet technologies inside telecommunications. You're looking for some sort of IEEE/RFC for telecom networks right? Here's the link: